The Canadian Government’s Embarrassing Opposition to Security Breach Disclosure Legislation

Last week, the Privacy Commissioner of Canada released her vision of privacy reform, including the need for security breach disclosure legislation, order-making power, and greater transparency of warrantless disclosure. On the same day as Commissioner Stoddart released her position paper, the government was embarrassing itself in the House of Commons by formally opposing security breach disclosure legislation on the weakest of grounds. The opposition to meaningful privacy reform is particularly discouraging given the thousands of breaches that have occurred in recent years from within the government itself and its claims to be concerned with the privacy of Canadians.

The government introduced legislation featuring security breach disclosure requirements in Bill C-12 in September 2011 (itself a reintroduction of the former C-29 that was first introduced in 2010).  Since first reading, the bill has not moved. It would take very little for the government to complete second reading and send the bill for study to committee, yet more than a year and a half later, the bill languishes, certain to die this summer when the government hits the parliamentary reset button. Frustrated by the inexplicable delays, NDP MP Charmaine Borg introduced a private member’s bill in February (C-475) that includes a mandatory security breach requirement roughly similar to the government’s own bill. 

Both bills include notification requirements to the Privacy Commissioner of Canada in the even of certain security breaches. A comparison of the two bills is posted below:

Bill C-12 (Government Bill)
Bill C-475 (MP Borg Private Member Bill)
(1) An organization shall report to the Commissioner any material breach of security safeguards involving personal information under its control. (2) An organization having personal information under its control shall notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.
(2) The factors that are relevant to determining whether a breach of security safeguards is material include
(a) the sensitivity of the personal information;
(b) the number of individuals whose personal information was involved; and
(c) an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.
(3) The factors that are relevant in determining whether a loss or disclosure of, or unauthorized access to, personal information would be considered by a reasonable person as creating a risk of harm are
(a) the sensitivity of the personal information; and
(b) the number of individuals whose personal information was involved.

Both bills follow the notification to the Commissioner with a potential notification to individuals who may be affected by the breach.  Notwithstanding the similarities, government MPs used debate in the House of commons last week to mischaracterize C-475.  Conservative MP Parm Gill stated:

I wish to point out that the data breach notification regime proposed in Bill C-475 takes a starkly different approach than that in Bill C-12. Bill C-475 requires organizations to first notify the Privacy Commissioner of every potential data breach, regardless of context or remoteness. The Privacy Commissioner must then determine whether affected individuals should be notified. Given the potential number of breaches that could be reported, such a regime would increase costs and burdensome compliance procedures for Canadian businesses and would impose an unwieldy financial and administrative burden on the Office of the Privacy Commissioner, generating more costs than benefits for taxpayers.

As the table notes, the claim that there is a required notification of every breach in C-475 regardless of context or remoteness is simply false. Gill also wrongly claimed that C-475 would not capture breaches only affecting a few individuals and that the bill does not define “appreciable risk of harm.”  In fact, both C-12 and C-475 use roughly the same definition of harm.  The inaccuracies continue as Gill claims that C-475 creates uncertainties on the form of notification, yet it follows much the same approach as C-12. After Gill’s inaccuracies, MP Mike Lake picks up the torch, making many of the same claims and then noting that C-12 addresses a broader range of PIPEDA reforms.  That is an unfair comparison, given that C-475 only tries to address a narrow range of issues and only comes after the government sat on its own bill for a year and a half (other than a single request for unanimous consent to send the bill to committee).

While the government would have the public believe that its bill is preferable to Borg’s, the real message here is clear: the government isn’t serious about privacy reform and would rather mischaracterize efforts to get long overdue reforms moving as opposed to prioritizing its own bill that has not been allocated any time for debate since its introduction in September 2011.


  1. anonymous says:

    lawful access?
    surely the delay has to do with the fact that c-12 contains lawful access provisions that would re ignite the debate we saw with c-30?

  2. Murray Long says:

    The lawful access provisions of Bill C-12 do not raise the same concerns as bill C-30 and, in committee the Harper Conservatives will likely be able to fend off criticisms from groups like CIPPIC, PIAC and Bar associations. I think the real issue with Bill C-12 is that the government now wants to wait out the end of term of Commissioner Stoddart before appointing someone who will be more amenable to living with the status quo.

    While Commissioner Stoddart has achieved a level of public respect that virtually none of her other colleagues in Commissioner roles have managed to achieve I doubt this buys her any leverage with the Harper government – but thy probably want to avoid the public embarrassment of being confronted by a Commissioner who knows what she is talking about, has the evidence and the track record to back up her comments and more credibility on this topic than the government has.

    As an aside, it’s a head scratcher when EU data commissioners, the FTC and provincial commissioners have much stronger powers than our federal Commissioner. But this is a government that remains ideologically committed to business interests over privacy interests, whatever the evidence might say. This despite the fact that many of the companies violating privacy standards in Canada are US owned.

  3. Who doesn’t want stricter privacy breach reporting?
    The Canadian people/constituency? Uhm, nope. We all want stricter reporting when our data is carelessly mishandled by Corporate America. And our own bumbling government!

    So, let’s see, who is it that wouldn’t want stricter reporting rules? Hrmmm. Oh! I know. Big Business and Corporate America.

    Well, there ya go. Harper is fucking over the constituency because it does not sit well with Corporate America. Again.

    Talk about wanting to maintain the status quo. If the status quo is Harper fucking us over, it’s being well maintained.